The attack begins before the intrusion
A principal can have well-managed devices and still be easy to approach. A family office can have modern security controls and still publish enough operational context for an attacker to impersonate a provider, identify an assistant, select a travel window or target an account-recovery path. The first stage is not always exploitation. It is orientation. The attacker wants to know who matters, who is trusted, which systems carry authority, what language will sound credible and when the target will be least able to verify independently. Public sources, breached data, marketing records, company filings, property information, social activity and technical exposure can collectively answer those questions.
Exposure is not a list of personal facts
A conventional report often inventories names, addresses, domains and leaked credentials. That is useful but incomplete. The serious question is what those facts permit. An old mobile number matters if it remains a recovery factor. An assistant’s name matters if the person can reset access or validate urgency. A travel photograph matters if it confirms that normal verification will be inconvenient. A vendor relationship matters if its invoices, login page or support language can be imitated. The unit of analysis is leverage, not visibility.
The five exposure layers
- Identity — names, roles, contact details, relationships and aliases that establish who can credibly speak for whom.
- Routine — travel, events, working patterns, family movements and transaction timing that create windows of reduced verification.
- Authority — assistants, advisors, providers and recovery channels capable of influencing access or action.
- Technical surface — domains, remote services, exposed devices, forgotten systems and weakly governed third-party access.
- Narrative — disputes, investments, philanthropy, interests and public positions that allow an approach to feel specific and believable.
These layers should be evaluated together. The most serious finding is often not a single exposed item but a path: identify the assistant, imitate a known provider, exploit a travel window, redirect the recovery process, then use the trusted channel to authorize something else.
A responsible assessment has boundaries
Exposure work can itself become invasive. The assessment must therefore have written authority, a defined subject, an agreed purpose and explicit limits. It should not test live accounts, contact third parties, acquire unlawfully obtained data or perform covert activity merely because information is technically accessible. The method should also distinguish between what was directly observed, what was inferred and what remains unverified. A polished report that blurs those categories creates its own risk.
Score the path, not the embarrassment
Severity should not rise because a fact feels private. It should rise because the fact improves an attacker’s ability to identify, approach, recover, persuade, access or cause action.
- Reachability — can the exposed condition be used against a live person, account or service?
- Authority — does the target control access, information, money or reputation?
- Credibility — does the context make an impersonation or pretext more believable?
- Combinability — does it connect with other findings to create a stronger path?
- Persistence — will the exposure remain useful after a simple removal or password change?
- Detectability — would attempted use be noticed before consequence?
A low-visibility recovery dependency can be more serious than a widely published address. The assessment must be allowed to reach that conclusion.
Remediation has an order
The first instinct is often removal. Removal can help, but it is not always available and can occasionally confirm that a source matters. The stronger sequence is to break the attacker’s path.
- Remove direct access to authority: obsolete recovery factors, unmanaged domains, shared credentials and unnecessary administrator routes.
- Separate verification channels so compromise of one does not validate another.
- Reduce predictable public timing where it creates operational risk.
- Compartmentalize providers, staff and family access according to actual need.
- Monitor the highest-consequence identities and services for change.
- Then reduce residual visibility where removal is lawful, durable and proportionate.
The target is not invisibility. That is rarely realistic. The target is the reduction of useful leverage.
What good looks like
A strong exposure assessment should leave the client with three things: a clear map of how an attacker could orient themselves, a ranked set of paths that create consequence, and a small number of interventions capable of breaking those paths. If the output is simply a thick report of facts the client already knows, the assessment has documented exposure without reducing it.
